Welcome back to part 16 of unusual journeys into infosec, one of the things that continues to surprise me is the varied backgrounds that people have when they finally end up in our industry.
These diverse background only enriches the community, because this help create unique approaches to problem solving by drawing down on life experiences. And by sharing these journeys it only encourages those who think they donāt fit, to make the push.
Essentially, it doesnāt matter what your background is, its your aptitude and attitude is really what counts.
Now in this episode I wanted to understand the CISOās (Chief Information Security Officerās), perspective about all things infosec, and the challenges in finding talent!
There are few names that have the depth and breadth of experience (and sense of humour), of Michael Ball, so he was my logical choice!!
Iāve been speaking to Michael for a few years now on Twitter, heās even come along for the ride on a few Threadzillaās!!! I really wanted to get into his ribs, understand his background and what he thinks the industry can do to better attract and retain the very best talent!
So sit back and enjoy the ride, and history lesson that is Michael Ballās (Unix_Guru) Unusual Journey into Infosec!!
CyberSecStu (CSS): Iām looking to understand unusual journeys into infosec, and specifically in this interview your perspective as a tenured CISO. Where did your journey begin?
Michael Ball (MB): Electronics technologist at IBM, working on OS2 Warp drivers and accessories. Took a networking and another on firewall. Newish concepts at the time. (ā94)
Large insurance company in Canada hired me to architect their internet access and DMZ. I asked for their information security policyā¦ standardsā¦ anything that I could hitch a design standard to. They waived a two paragraph page at meā¦
I refused to build against a non existing policy framework. I didnāt want the accountability. Which nobody understood at the time. A month later, they asked me to help with governance. Having zero experience, I said the only thing I couldā¦ āLove to! Where do I sign?ā
Spent six years running IT security. Eventually named CISO when that became a thing. Did all the architecture, because thatās what I knew. Took RSA and SANS courses, and eventually created an information security policy framework.
What nobody told me, was that you cant easily audit what isnāt documentedā¦ and once you document thingsā¦ the auditors have a field dayā¦ Lesson learned was ākeep your first set of information security standards within reach of achievementā!
I was following ābest practiceā, and had a long way to go to hardening the environment.
CSS: Was there a big jump from what you were doing before, to Infosec, and how did you manage?
MB: I lucked out, getting into infosec in its infancy. We didnāt have the vendors and maturity we have now.
On the other hand, because it was so new, everyone thought we had to follow strict NIST guidance, which was totally unrealistic. Auditors were our adversaries back then. Today, they are my companions.
Controls were black and white. Compensating controls were not something the auditors had experience with.
The first year, I told the board of directors āwe need to protect our bbs and web server from the internetā we need a firewallā¦ I got budget.
Year twoā¦ same storyā¦ thank you for the firewall budget, but it doesnāt protect from brute force hackingā¦ I need intrusion detection. They were leeryā¦ we just gave you budget for internet protection. Why do you need more?
I had to explain to the executive that Internet threats were steadily getting more advanced. A firewall simply followed a set of predefined rules for what traffic was allowed in, and the bad guys could emulate that traffic to get THEIR stuff in too. I got budget that year tooā¦ barelyā¦
By year three, when our IDS was firing constantly, and nobody knew anything about deciphering false positives, or comprehending the crazy complex logs from firewalls, web servers, intrusion detection, anti-malware, Active Directoryā¦ I asked for a SIEMā¦. they lost their shit!!
āListen! You told us that you could protect us with a firewall thingā¦ we gave it to you!ā¦ Then you told us that wasnāt good enough, and you needed some OTHER thing to track attackersā¦ Now you are telling us THAT is not good enough? No! Not gunna happen!ā
Aaaaand thatās when I decided that the Audit team was going to become my new best friend.
When you give up the adversarial relationship with internal audit, and help them do their job (your job!), you can build an achievable roadmap to security controls.
CSS: Thanks for sharing this, I agree Internal Audit have become a vital role in supporting the CISO, especially in Financial Services with the 3 lines of defence! What do you think are the biggest challenges facing a CISO today?
MB: Hmmmā¦ getting the message across to your Executive (without panicking them!), that not only WILL we get breached someday, but could quite possibly be breached RIGHT NOW and not know it.
That a properly articulated AND TESTED Breach Response plan is necessary, and this includes pre-planned communications templates for all potential stake holders.
Awareness training is another challenge. Many companies do it annuallyā¦ Read/watch a big presentation, answer a few skill testing questions, sign off. Mehā¦ not good enough.
I like to break it into bite size chunks, and publish a short 2ā3 slide presentation with 1ā2 questions monthly. Keep it topical, but fun and friendly.
Another issue is in constantly keeping MYSELF educated. The vendor noise these days is ridiculous. Every vendor out there has the magic elixir for all my security woes.
And they ALL use Containerized-Blockchain-Threat-Hunting-AI with Deep Learning Bayesian-Curve technology!
I mean, how can I possibly choose between them? Especially the ones that have been doing this for nine years in a two year old market!?
Privileged Access Management, Cloud Access Security Brokers, and a strong SIEM practice, are my top three initiatives to protect and preserve.
CSS: Excellent, I love this. I assume being a CISO you had people in your team?
MB: Iāve had a couple different CISO gigs. In the larger companies, I was blessed with direct reports who ran security operations, and helped with governance and compliance.
My most recent two CISO gigs were actually āVirtual CISOā or āCISO Consultantā. The companies were either too small to justify a full time CISO, or wanted to build the Business Case for hiring a full time CISO.
I provide the governance oversight, and have ādotted lineā roles report to me.
CSS: Yeah the Virtual CISO is an important role these days, I think quite a few companies like this idea!
When you hired people in infosec what did you look for- and what were your biggest challenges/wins finding people?
MB: Iād rather take someone with skills in networking or sysadmin, and who has a passion for their job, and train them in security.
Skills you can train. Passion, devotion, and loyalty cannot be trained, but have to be earned.
Trying to hire āInfosec peepsā today is tough. There are two issues with hiring āexperiencedā Infosec people.. They know that they are a hot commodity and rightfully expect high money, and they come with their previous employerās baggage. āTHIS IS HOW WEāVE DONE THIS AT ACME Incā.
I donāt subscribe to āThis is how weāve always done it hereā so I CERTAINLY donāt subscribe to āThis is how weāve always done it THEREā.
CSS: Haha yes exactly. What do you think companies can do to attract and retain talent today?
MB: Security peeps like to continually learn.
Advertise and provide a continuous training package as part of their benefits. Lock it in so that they actually HAVE to use it as well. It goes both ways:
Provide opportunities for growth
Rotate people through roles
Donāt let them stagnate in a single job.
CSS: What advice do you have for people starting out on their journey into infosec today?
MB: Look up a local infosec gathering, and attend regularly. Not just BSides, but look for monthly get togethers in your city on meetup.
Besides sharing in knowledge, it will get your face in front of others in the community when theyāre hiring.
And if there is NOT a local infosec meetup, start one! Nothing wrong with 4ā5 people to start, in a coffee shop or local library. Invite vendors out to talk about their space, not specifically about their product. Youād be surprised how willing most vendors are to have an audience, no matter how small.
Participate actively online. Get to know the thought leaders on Twitter and that FaceThingā¦ ask questions, engage. There are no stupid questions, just stupid users.
CSS: Excellent!!! Whatās most valuable to you as a hiring manager for noobs?
MB: Enthusiasm and both a desire to learn, as well as a desire to share. Retention is difficult, so making sure that individuals feel wanted and respected within the team is of utmost importance.
CSS: One final question.. what is it about infosec you love the most?
MB: Can I say Job Security? LOL
Itās a field or service that EVERY company needs, and most are still in the low end of the maturity model. I like feeling like Iām doing something good.
I have no misconceptions that any one engagement is going to be long term. If I do my job correctly, Iāll do myself out of that job.
As a virtual CISO, I typically get to go into a company that is struggling in an audit, or has had regulations heaped on them. I get to guide them through the process of creating an Information Security Framework, and create/update/validate Security Operations procedures and guidelines.
Being able to show a positive trend in security metrics is always a delight.
CSS: I absolutely agree!!
Thank you so much for sharing your valuable exp. Is there anyone youād like to thank or mentionā¦( soapbox moment)?
My early sounding boards here on Twitter were @3ncr1pt3d @synackpse@bigendiansmalls, @mainframed767 @nixcraft @Cannibal @sudosev@5683Monkey @securitybrew @darksim905 @blackroomsec @benheise@ronindey
Michael has so much experience, its hard to fit this into a short article let alone trying to distil this into a bite-sized takeaway!!
Firstly Michael mentioned the importance of āgetting out thereā when first starting out in infosec. Especially local Bsides and meetups, but the advice that personally stood outāāāwas starting your own, if one does not exist.
This strikes a chord with me personally, as having started up The Many Hats Club, having not connected to any online community (outside of Twitter), was one of the best things I have done to date! So starting an online or even better, a meetup is always highly recommendedāāāeven as Michael rightly said starting small and growing over time.
Also you when searching for a new role, hunting down companies that offer ongoing training is vitally important, as this shows a willingness to invest long term in your career and development!
Finally, these are words to live by and adopt:
Skills you can train. Passion, devotion, and loyalty cannot be trained, but have to be earned.
